Krebs on Security

In-depth security news and investigation

The Obscurest Epoch is Today

“History is much decried; it is a tissue of errors, we are told, no doubt correctly; and rival historians expose each other’s blunders with gratification. Yet the worst historian has a clearer view of the period he studies than the best of us can hope to form of that in which we live. The obscurest epoch is to-day; and that for a thousand reasons of incohate tendency, conflicting report, and sheer mass and multiplicity of experience; but chiefly, perhaps, by reason of an insidious shifting of landmarks.” – Robert Louis Stevenson

To say that there is a law enforcement manhunt on for the individuals responsible for posting credit report information on public figures and celebrities at the rogue site exposed.su would be a major understatement. I like to think that when that investigation is completed, some of the information I’ve helped to uncover about those affiliated with the site will come to light. For now, however, I’m content to retrace some of my footwork this past weekend that went into tracking individuals who may have been responsible for attacking my site and SWATing my home last Thursday.

I state upfront that the information in this piece is certainly not the whole story (most news reporting is, at best, a snapshot in time, a first rough draft of history). While the clues I’ve uncovered thus far point to the role of a single individual, this person is likely part of a larger group involved in hacking and SWATing activity.

In my story last week, I posted a copy of the internal database for booter.tw, one of several fee-for-service “booter” sites. Booter sites are perhaps most popular among online gaming enthusiasts, who like to use them to knock opponents offline; but they are frequently also used to launch debilitating attacks on Web sites. That leaked booter.tw database shows that the denial-of-service attack that hit my site last week was paid for by a booter.tw user with the account name “countonme,” and using the address “countonme@gmail.com.”

Since the attack, I reached out to the proprietor of booter.tw, a hacker who uses the nickname “Askaa.” He informed me that the individual who launched the attack on my site was a hacker who used the screen name Phobia. “Phobia hacked into the countonme account to make it look like the according user attacked you,” Askaa said in a brief interview over Skype instant message. Askaa declined to say why he was so confident of this information.

RealTeamHype’s Youtube page before the videos were deleted on Sunday.

Separately, over the weekend I received an email from a person who claimed to have direct knowledge of the attacks (perhaps because he, too, was involved). This individual said those who attacked my site were a group of young online video game enthusiasts who were upset that earlier in the week I’d written about ssndob.ru, a site that sells access to peoples’ credit files, Social Security numbers and other sensitive information.

According to this source, the hackers in this case belong to a four-man Xbox live gamer team that calls itself “Team Hype,” which until this past weekend had posted a number of videos to their own youtube.com channel, RealTeamHype (more on what happened to these videos in a moment).

According to the anonymous source, Team Hype consists of hackers who use the nicknames “Trojan,” “Shadow,” Convict,” and “Phobia.” The source said the group used SSNs from ssndob.ru to hijack “gamertags,” online personas tied to Xbox Live game accounts. In this case, specifically from Microsoft employees who work on the Xbox Live gaming platform. Some of the group members then sell those accounts to other Xbox Live players.

“They hack/social engineer Gamertags off Microsoft employees by using SSNs,” the source wrote. “I didn’t DDoS your site and I didn’t SWAT you, Phobia has been telling everyone he did. The method he released he said he gets SSNs, then calls phone companies and redirects the number and than gets xbox phone support to call number and confirm. I heard he got pissed that you released the site he uses. Also Trojan told a buddie of mines ‘fear'(on AIM) something about a dead body in your closet about your swat.”

Snippet from @PhobiaTheGod’s now-closed Twitter account

The source said Phobia used the Twitter account @PhobiaTheGod (now closed, but partially available here and at this cache), and that Phobia’s personal information — including real name, address and phone number — had been “doxed” or released onto Pastebin-like sites some time ago. It didn’t take long to locate this profile at skidpaste.org (“skid” is a diminutive reference to the term “script kiddies,” referring to relatively unskilled young hackers who conduct most of their exploits using automated tools without understanding how those tools actually do the dirty work).

Having watched most of the videos at RealTeamHype’s youtube channel, it appeared that my source was telling the truth about the hijacked accounts: In fact, the videos at that channel documented such hijackings in progress using desktop screen-grabbing software. The videos even showed conversations with other team members in instant message windows in the background.

But I was reluctant to put much stock in the information until the source sent me a piece of information that only the attackers and my ISP would have known. On Friday, I received a call from Cox Communications, my Internet service provider. They wanted to know why I had paid $3,000 toward my account using several different credit card numbers. I assured them that I hadn’t made that payment. Then I heard from a member of Cox’s security team, who asked if I’d reset my password and if I’d indeed asked to cancel my Internet service. He was unsurprised to learn that I hadn’t. Apparently, hackers reset the password to my Cox email account by working out the answer to my secret question (this account is separate from my Cox user account, was set up over 10 years ago, and has never been used for anything remotely interesting or sensitive).

The source told me via email: “Hey brian, i just spoke to fear he told me phobia and his buddies were telling him that they hacked your cox email and paid your cox bill with hacked credit card, im not sure if this is true but im letting you know.”

I decided to give a call to the phone number included in the doxed records for Phobia, which rang at a home in Milford, Ct. A 20-year-old named Ryan Stevenson picked up the phone. After introducing myself, I asked Ryan if he knew anything about booter.tw, and he said he didn’t bother with booter sites because they were lame.

I then asked if he was part of a Xbox gaming group called TeamHype. He said yes, but that he hadn’t been associated with that group for six months. When I asked why, he said that his teammates had repeatedly called his house posing as the police, and had even SWATed his home — something his father confirmed by interjecting over Ryan’s voice. I told Ryan I found this strange, since the youtube channel for TeamHype’s video channel was created on Dec. 26, 2012, and his youtube.com account “Phobia” had uploaded videos of Microsoft Xbox accounts being hijacked as recently as February 2013. What’s more, those videos (like the one reproduced here) show Phobia sending shouts out to his buddies.

Then I remembered where I’d heard the nickname “Phobia”: In a terrifying tale by Mat Honan, a wired.com reporter who woke up one day last year to find his Macbook and other Apple devices being remotely wiped of their data after hackers managed to commandeer his Apple iCloud account. According to Honan’s story, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” a hacker named Phobia reached out to him shortly after the incident. “Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down,” Honan wrote of his ordeal. “I agreed not to press charges, and in return he laid out exactly how the hack worked.”

I asked Ryan if he knew Mat Honan. Here’s a snippet of our conversation:

BK: I’m looking at a story in Wired magazine from Mat Honan about how his Apple iCloud account was hacked. Do you know this guy?

RS: Yeah, I used to.

BK: Uh huh. And is Honan referring to you in this article?

RS: Yeah.

BK Yes?

RS: Uh huh.

BK: Did anything bad ever happen to you because of this?

RS: No.

BK: So, this was your doing with the Mat Honan hack, but you say you would never use a site like a stresser or…

RS: Yeah, I would never do that. That’s stupid.

BK: …or hack a reporter’s account or launch a denial of service attack against a reporter, or SWAT his house….

RS: <extended silence>

BK: So what’s the point of hacking a reporter’s iCloud account? Why’d you do that?

RS: Just to prove a point that, like…the security is breachable.

BK: Are you still on twitter?

RS: Yeah. But I changed my username yesterday.

BK: Really? Why?

RS: Because I don’t want to deal with people anymore. People call my house and pretend to be the police and stuff.

BK: Yeah, I know what you mean. So, what was your old Twitter account name?

RS: I think you know.

BK: PhobiaTheGod?

RS: Uh-huh.

BK: So what’s your new Twitter handle?

RS: <extended silence>

BK: Look, did you launch the attack on my site or not? Some of your gaming buddies sure seem ready to throw you under the bus for it.

RS: I didn’t even know who you were until someone tweeted your site. I just went to it to see what it was about.

At this point, Ryan’s dad grabs the phone and tries to tell me that his son didn’t really say that he hacked Mat Honan’s iCloud account, but that what he really said was he only knew the guy who hacked Honan’s account. Ryan’s dad goes on to explain that his son is basically a good kid who fell in with the wrong crowd, and that his son wouldn’t stoop to hacking other people, and certainly not to sending SWAT teams or any of that nonsense.

I decide to share with Ryan’s dad the URL for the TeamHype channel at youtube.com, and I can hear the father taking notes on the other end of the line. From the racket in the background noise behind the voice of Ryan’s dad, it’s clear that someone is furiously banging away at a computer keyboard. My suspicions are confirmed when I refresh the TeamHype youtube channel and find all of the videos have been deleted (the one above was cached in my window so I was able to re-record it).

This entire episode is giving me flashbacks that date back almost a decade, when I began communicating with a hacker group that called itself Team Defonic. These young men positively lived to hack into and post online personal data and photos belonging to celebrities and public figures. They also were obsessed with plundering databases for Social Security numbers and other sensitive information. Most of them were later arrested and jailed for their roles in breaking into Paris Hilton’s cell phone and hacking into accounts at Accurint, a law enforcement database run by data aggregator LexisNexis.

Stay tuned for more on this developing story. Meantime, many thanks again to all of you who’ve expressed concern or reached out via Twitter, Facebook (and Paypal!) to voice support and solidarity.

198 comments

I would greatly appreciate if someone could help me get in contact with Brian Krebs. I have been the target of these very same individuals, and have information which may be useful in his ongoing investigation.

I had already sent an email to the address provided by the site before posting this question, wise-ass. I was just asking if anyone had a more direct contact they could advise me of. Thanks for the help though.

Holy Sh*t, wow! These people are uncool & redundant. Practically kids, no less, carrying out serious, yet rather pointless crimes. What’s the point of doing something just to show “the security is breachable.” So what? People know this. Pretty much everyone has had their email hacked. I’ve had my email hacked & well done for whoever is so bored and sucks at life enough that reading riveting emails about cute shoes & what I ate for dinner last night is interesting to them. What a waste of time!

Ryan Stevenson: are you reading this? Krebs posted this story days ago. I’m just reading it now because I have a life. That’s what you need to do. Get a life, dude! Get a girlfriend! Get a W2 job! Go to school! Do something else with your time. Seriously. The same goes for your “friends.” The Xbox is not a panacea. Games aren’t real. The road you’re on is a fast track to dying alone and fugly in a prison cell. Jacking with Krebs is a waste of your time. Instead of sitting around worrying about what Krebs is doing, why not focus on yourself and some strategies to stop being a waste of space? You want to live with your dad forever? Hot chicks don’t want to date dudes that live with their dad. I know this because I am a hot chick. You thinking about hacking this site to get my email address? Don’t waste your time. My email is uninteresting. Nobody cares about it. Not even me. So change your name, since everyone now knows that you’re a major d-bag, and get a life, IRL. Move out of crazy town, get some hobbies outside the internet, travel, make some IRL friends. Take my free advice so you can be happy and have a good life. You can thank me later.

Tania, the guy victimized Brian because of selfish reasons, mostly to make money by relying on the ability to market his goods via reputation. His actions really have nothing to do with proving the security is vulnerable, it is a lie he uses to justify his behavior, like the other hackers and pirates of his generation. He never learned the value and consequences of doing right and wrong, and he and his parents will soon the pay the price; they are the zombies.

You know, its beginning to get to the point that I’m thinking its society’s own fault for all this stuff. We let our kids, still in the impressionable, ethics-developing stage play shooter games, and play with computers to the point that six year olds can hack.

Perhaps we need to consider computer technology an age-restricted thing like alcohol and cigarettes.

But then again, I’ve been using computers since I was five (okay, a 286 isn’t much of a computer, but hey, its what I had) maybe its not what we let them do… but how we raise them. Scary ain’t it?

I disagree as far as blaming video games for bad behavior. Kids all over the world play the same games, but don’t have the same level of problems that American kids have. It’s not the games. It’s a symptom of the society.

Yes, it is true that *some” kids around the world play *some* of the same games, but do not generalize the USA to the world.

One of the things I was very pleased to discover is that people in continental Europe do not listen to rap / hip-hop for the most part. Russians have their own style of music. In Germany, one can walk round in a large city in the evening and hear classical music. I do not remember hearing some jerk with large subwoofers in his car playing thumpa-thumpa.

>>> “Kids all over the world play the same games”
>> And you know this exactly how?
>Because they do. You could also have a look at the sales. Are yoo also skeptical about kids all over the world watching movies?

No, I am skeptical about “everyone” playing the same game. The 1+ billion poor people in India and Africa most definitely do not play the same game you do.

Words have meaning. Use them appropriately.

>> One of the things I was very pleased to discover is that people in continental Europe do not listen to rap / hip-hop for the most part.
>Bullshit.

Perhaps you should look-up the definition of “for the most part.” Don’t assume that because *you* listen to rap-crap, that everyone in Latvia, Poland, Estonia, Lithuania, Hungary, etc — countries I have visited and you have not — also listens to it.

>> Russians have their own style of music.
>And what would that be?

Music with a basis in old Russian folk music. Go to YouTube and search on “angelika varum” or “sogdiana” or “zemfira” or “yulia savichaya” or “alla pugacheva”. You might learn something. Note how little rap-crap you find by searching on “russian music”.

>> In Germany, one can walk round in a large city in the evening and hear classical music. I do not remember hearing some jerk with large subwoofers in his car playing thumpa-thumpa.
>I live in Germany, and you’re full of shit.

Munich (in Marienplatz) is just one city where one can hear small bands of young people playing classical music for small change. I have also seen this in access tunnels leading to metro stations in Moscow and St. Petersburg. I have not heard rap-crap in the smaller cities, e.g. Leipzig and Dresden. Berlin certainly has it and that is probably where you live, but Berlin is only a small part of Germany.

Are you serious? You visited all these countries for epsilon time (clearly not enough time to actually learn their culture) and decided not to research whether any of what you’re saying is true before posting?

Let’s take up the mentioned countries as an example: Latvia, Poland, Estonia, Lithuania, Hungary, Russia, Germany

As a Polish gamer, I play the same ‘murican games online with individuals from all these countries, and yet we still have better smarts/morals than you folks who apparently (using you as an example) can’t reason for squat. Of course the poor in Africa/India don’t have games. That doesn’t say that the games have not spread to countries all over the world where those who have access to them play them. (inb4 you cluelessly stick in more counter-examples like Chinese or German censorship; not relevant to the point!)

Of course Russians have their own style of music. So do you ‘muricans, so does the whole damn world. Every single one of your named countries also has a non-trivial hip-hop scene. Was it that hard to youtube “[country] rap” before retardedly saying they don’t? I’m not 100% sure on the state in th’oher countries, but in Poland the hip-hop/(c)rap scene is pretty huge. Pezet, Liroy, NAS, Peja, Slums Attack, just off the top of my head as a tiny sample. Half our fucking kids listen to the shit. Just like we have a strong metal scene. Just like we have a strong EDM scene. Every single one of these countries does too and every single one of these countries has douchebags driving around blasting their choice of shitty music. Especially in smaller towns. That’s where most of the kids trying to be gangsta live after all.

Now how MUCH rap-crap you do find when you search ruski/russian rap instead?

I’ve lived (and not just visited (you really think you can tell someone who LIVES in Germany that you, a visitor, know more about his country?)) in Germany as well and you are indeed full of shit. Get to know the modern culture before commenting based on your shallow tourist experience. Have you been to the clubs in Dresden/Leipzig? You think the whole fucking country/continent is funny men dressed in green and playing accordions?

This was the comment that started this thread. It was bullsh!t then and it is still bullsh!t. The kids in your social group, even in different countries, probably all do play the same games, but kids all over the world do NOT play the same games. Stop arguing something which is, by definition, nonsense.

“Of course Russians have their own style of music. So do you ‘muricans, so does the whole damn world. … I’m not 100% sure on the state in th’oher countries, but in Poland the hip-hop/(c)rap scene is pretty huge.”

I have heard European rap and it is not nearly as annoying as American rap. It is not the same. You keep confusing this. I realize that Poles and Russians do not get along for the most part, but you still do not understand Russian music, as rap is a tiny portion of the overall music scene. Since you are not sure about those other countries, generalizing that Poland’s music scene must be the same as all other countries, it is safe to assume that you can’t reason for squat.

“Was it that hard to youtube ‘[country] rap’ before retardedly saying they don’t?”

Obviously if I search on “Russian rap” I will only see results for rap, whether rap is 100% or 0.000001% of Russian music overall. But if I search on “[country] music” I will see the common music for that country. For “USA music” I will see lots of rap and hip-hop, as well as other music. And for “Russian music” I will see virtually no rap. This is simple logic, a skill which you clearly lack.

There is no such word as “retardedly” but I expect that from children like you.

“Kids all over the world play the same games” is a much different and truer statement than “Every kid in the world plays the same games.” Every argument you’ve put out so far has been arguing against the latter.

What knowledge do you have of modern music trends that makes it more legit than mine? I’ve visited friends in Russia, Ukraine, Chech Republic, and Slovakia, as well as lived in Germany, and encountered no noticeable difference in the popularity of rap. Sure, for your sake I won’t generalize to every single country, but you shouldn’t generalize from your lack of knowledge either. What credentials do you have to tell me you know more as an outsider about the Russian music scene than I do?

The point was about how MUCH there is if you google for it. You think that if it weren’t popular, you wouldn’t have shows like Battle for Respect and Putin coming on stage… http://www.youtube.com/watch?v=Cm-4_G0koxU If you google “Polish music”, you won’t get nearly a representative sample of how popular rap/hip-hop is. Your falling hard for the law of small numbers fallacy here. I appear to have access to a much higher representative sample of what younger people listen to in the bloc.

Words and grammar are malleable. If stupidly exists, there’s no reason to discount “retardedly” except for lack of use in the general population. I’m surprised you didn’t complain about my unique use of th’.

Teens and young adults pushing limits is developmentally appropriate. That’s what they do, if they’re progressing on the path to adulthood. They drink too much, drive too fast, date people their parents hate, etc. It’s the teen version of a one-year-old dumping his juice on the floor to see what happens when the cup is upside down. But in his case, the tools were available to do a lot more damage to a lot more people. Getting off the computer and having grown-up responsibilities would certainly help shorten this period of testing limits, but when the job market means a law degree will only qualify you to work at Starbucks, it’s not surprising people are remaining immature longer.

There’s a reason car insurance for males under 25 is so friggin’ expensive. They are more likely to be irresponsible and take dangerous risks.

There is nothing appropriate about criminal activity, especially violent criminal activity, no matter how easy it is to execute. There is nothing appropriate about this perpetrator’s activity, nor is the father’s behavior appropriate. Ryan’s behavior (if in fact it was Ryan Stevenson as Brian states) is not similar in any way to a one-year-old’s behavior, and sending a SWAT team to someone’s house jacked up on adrenalin with drawn weapons will never be acceptable or excusable behavior. The message that must be sent to all hackers and pirates should be unmistakably clear: this behavior will not be tolerated or excused, and has life-changing consequences for the perpetrators and accomplices (and their families). The value of public examples of criminal punishment cannot be denied; perhaps this is a good use of social media.

People should have to get a Internet license now and days . You should have to take a lengthy test in proper net etiquette, internet security , and how to secure computers and websites. If you can’t do the right thing and end up doing B.S. like trolling , hacking , spamming, or criminal activity then the license should be revoked , then the person should be fined accordingly.

Licensing to restrict Internet access is not really the answer, it’s about teaching right and wrong – when morals are missing, the perpetrators have simply to lie to gain access, or go to the underground markets, just as with guns and gun control.

The better question is: how can we teach those who are considering the wrong decision the real value of making the right decision?

If you ask a liberal and a conservative, or a Muslim and a Catholic, you will receive two radically different answers on the definition of right and wrong. Which set of values should we be instilling in children? I agree with you in theory, but recent history has shown us that the solution is not obvious.

Blame it on Microsoft & Co. for badware and half-assed support, blame it on ISPs for not enforcing policies, blame it on administrations for inadequate education in times of so called information society, blame it on parents that have been happy the internet took their kids off the streets or blame it on the rain that was falling, but:

The discussion to limit internet access was over late 90s and as long as China, Kuba, Iran, North Korea, Saudi Arabia, Syria, Vietnam, Bharein, Belarus, Bruma, Turkmenistan or Uzbekistan don’t steamroll the rest of the world this won’t happen. (Okay, I’m not quite sure about the future of “CHIMERICA”…)

Wouldn’t you agree to include the illiterate computer users who fall victim to social engineering. Those same illiterate computer users fail victim to getting their Windows machines infected with malware (bank Trojans) , get their FTP credentials taken, willingly give up their bank log-in information, and last but not least, fall victim to credit card and or identity theft.

Furthermore, you have these types of people buying Windows 8 machines , turning them on and are completely clueless about setting it up properly . Do they know how to set up computer administrator/user accounts or set it up for the best internet security protection possible? Do they know how to do Microsoft updates? These type of people just turn on the computer and marvel over those stupid tiles. (Not a fan of Win 8)

Then their is the illiterate website builders who don’t know how to secure their websites. They end up getting hacked into, which leads to their B.S. website turning into a phishing scam , sending out junk email, doing D.D.O.S. attacks or serving up malware. Those same sites are also prone to SQL or C.S.S. injection attacks. Then their are the people who create C.M.S. sites like WordPress or Joomla who don’t update the server software which leads to the website be compromised. . Or how about the idiot people who use weak passwords or FTP credentials , which then gets their website or server broken into , creating thousands of phishing websites. I have also seen servers completely rooted where anyone can access them, thanks to those miscreants we all know and love.

You are right about the I.S.P. or hosting administrators , time and time again I’ve seen the same ones serving up compromised phishing sites.

I see it almost everyday, people who are totally computer illiterate. We are talking about not one hour on a computer time. People like this Steven’s guy and other internet miscreants prey on these types of individuals
who are just starting off using the internet or building new websites.

It’s a bunch of amateurs trying to play like top dawgs. I can’t believe they’d be stupid enough to do stuff like SWAT a journalist who can find their public dox.

His Dad needs a wake up call. He sounds like an enabler trying to play lawyer for his son. I highly doubt he even knows that much about computers. He just wants to save his ‘bright’ kid from getting goatse’d in the USP.

Based on this report, it seems to me that Mr Stephenson may have conspired with his son to attempt to destroy evidence.

We know that nothing was really deleted from YouTube, Facebook, and Twitter.

In Virginia, an attempt to commit a crime, or assisting others in the commission of a crime, before or after the fact, is usually punishable with the same severity as if the person had actually and directly committed the act. This is laid out at the beginning of 18.2.

It’s also refreshing that in Virginia, we, as citizens, can appear before a magistrate and prosecute a crime ourselves. I have done this for bad checks and an auto theft. In each case the target was arrested and jailed, and the Commonwealth’s Attorney was able to extort guilty pleas from the defendants, so, I’ve never had to appear in court and present evidence for a prosecution that I have undertaken on my own.

Even if he was a kid, I was ready to kill commies for mommy when I was fourteen! Kids are animals that need to be controlled – if the parents won’t do it then blame the parent then. Some body gotta pay! Justice is just that – When I was a kid they would’a sent me to the state lockup facility for juveniles, for way less than that!

Video games don’t make people violent. It is a violent people tolerant and acclimated to violence who readily creates and consumes violence. As if gladiator battles turned Romans into bloodthirsty empire builders!

We have entered a dark reality where children can kill people older and wiser than them because we have raised them to accept such a reality as normal.